No confusion here. Node.js is an entire ecosystem, and npm is a child of that mess. It is absolutely famous for the massive gobs of absolutely junk it pulls in to satisfy dependencies a frontend dev could manage with 4 lines of native js.
You may rail on about how npm != node, but everyone considers npm to be 'node package manager', no matter what the initialism actually stands for.
Node.js is a server runtime, it does not run clientside at all. NPM can be used to download server OR client JS packages. A frontend bundler tool (e.g. webpack) can analyze a dependency graph of your client-side entrypoint and bundle all the NPM deps used, which will then be sent and executed on the client. No Node.js components or code are run client-side at any point (caveat - some packages can work server- and client-side).
You may rail on about how npm != node, but everyone considers npm to be 'node package manager', no matter what the initialism actually stands for.